When a company incorporates, stockholders' potential damages are limited to the value of their stock. Once the stock has gone to $0, all potential liability is over. My friend thought that the limited liability protection ought to be removed so that injured parties could sue stockholders for far more than just the value of the stock. He felt that stockholders, under threat of losing personal assets beyond their stock investment, would be incentivized to only invest in "safe" companies, and businesses would strive to be more honest and more secure overall.

It sounds like an intriguing idea, except for one obvious result: Who would invest in unlimited liability corporations? You'd end up with fewer corporations, fewer jobs, and less innovation.

Obviously, the system we have now needs correction, but you don't need to do away with the idea of traditional corporations altogether. In fact, I would argue, that -- warts and all -- we have about the level of risk we as a society have agreed to tolerate in return for greater reward. You just need a moderate course correction from time to time.

I've come to the same conclusion regarding software liability. For decades, tough security acolytes have argued that software vendors should be held liable for their software vulnerabilities. They want to change commercial laws, like my friend suggests above, to make the risk a company takes higher. Then and only then, according to these believers, will software companies make significantly more secure software.

I call bunk on that idea.

For one thing, there's no such thing as perfect software. All software has bugs and all software has security flaws. Even one of the strongest proponents of software vulnerability liability, Dr. Daniel J. Bernstein, who makes some of the most secure software in the world, has seen hackers uncover security bugs in his software. Few people in the world have the security skills that DBJ has. But he is imperfect. He's human.